2 files changed, 31 insertions, 16 deletions

diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 4ed718a9b..51e5b1d59 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -204,7 +204,7 @@ def check_certs():
     else:
         root_logger.debug('Certificate file exists')
 
-def upgrade_pki(fstore):
+def upgrade_pki(ca, fstore):
     """
     Update/add the dogtag proxy configuration. The IPA side of this is
     handled in ipa-pki-proxy.conf.
@@ -213,8 +213,8 @@ def upgrade_pki(fstore):
     """
     configured_constants = dogtag.configured_constants()
     root_logger.info('[Verifying that CA proxy configuration is correct]')
-    if not os.path.exists(configured_constants.CS_CFG_PATH):
-        root_logger.debug('No CA detected in /etc/pki-ca')
+    if not ca.is_configured():
+        root_logger.info('CA is not configured')
         return
 
     http = httpinstance.HTTPInstance(fstore)
@@ -300,7 +300,7 @@ def upgrade_ipa_profile(ca):
         if audit or ski:
             return True
     else:
-        root_logger.debug('CA is not configured')
+        root_logger.info('CA is not configured')
 
     return False
 
@@ -329,7 +329,7 @@ def named_enable_psearch():
 
     if not bindinstance.named_conf_exists():
         # DNS service may not be configured
-        root_logger.debug('DNS not configured')
+        root_logger.info('DNS is not configured')
         return
 
     try:
@@ -401,7 +401,7 @@ def named_enable_serial_autoincrement():
 
     if not bindinstance.named_conf_exists():
         # DNS service may not be configured
-        root_logger.debug('DNS not configured')
+        root_logger.info('DNS is not configured')
         return changed
 
     try:
@@ -448,8 +448,9 @@ def enable_certificate_renewal(ca):
 
     Returns True when CA needs to be restarted
     """
+    root_logger.info('[Enable certificate renewal]')
     if not ca.is_configured():
-        root_logger.debug('dogtag not configured')
+        root_logger.info('CA is not configured')
         return False
 
     # Using the nickname find the certmonger request_id
@@ -508,11 +509,20 @@ def migrate_crl_publish_dir(ca):
         root_logger.info('CRL tree already moved')
         return False
 
+    if not ca.is_configured():
+        root_logger.info('CA is not configured')
+        return False
+
     caconfig = dogtag.configured_constants()
 
-    old_publish_dir = installutils.get_directive(caconfig.CS_CFG_PATH,
-        'ca.publish.publisher.instance.FileBaseCRLPublisher.directory',
-        separator='=')
+    try:
+        old_publish_dir = installutils.get_directive(caconfig.CS_CFG_PATH,
+            'ca.publish.publisher.instance.FileBaseCRLPublisher.directory',
+            separator='=')
+    except OSError, e:
+        root_logger.error('Cannot read CA configuration file "%s": %s',
+                caconfig.CS_CFG_PATH, e)
+        return False
 
     if old_publish_dir == caconfig.CRL_PUBLISH_PATH:
         # publish dir is already updated
@@ -536,9 +546,14 @@ def migrate_crl_publish_dir(ca):
             except Exception, e:
                 root_logger.error('Cannot move CRL file to new directory: %s', e)
 
-    installutils.set_directive(caconfig.CS_CFG_PATH,
-        'ca.publish.publisher.instance.FileBaseCRLPublisher.directory',
-        publishdir, quotes=False, separator='=')
+    try:
+        installutils.set_directive(caconfig.CS_CFG_PATH,
+            'ca.publish.publisher.instance.FileBaseCRLPublisher.directory',
+            publishdir, quotes=False, separator='=')
+    except OSError, e:
+        root_logger.error('Cannot update CA configuration file "%s": %s',
+                caconfig.CS_CFG_PATH, e)
+        return False
     sysupgrade.set_upgrade_state('dogtag', 'moved_crl_publish_dir', True)
     root_logger.info('CRL publish directory has been migrated, '
                      'request pki-ca restart')
@@ -595,7 +610,7 @@ def main():
     upgrade(sub_dict, "/etc/httpd/conf.d/ipa.conf", ipautil.SHARE_DIR + "ipa.conf")
     upgrade(sub_dict, "/etc/httpd/conf.d/ipa-rewrite.conf", ipautil.SHARE_DIR + "ipa-rewrite.conf")
     upgrade(sub_dict, "/etc/httpd/conf.d/ipa-pki-proxy.conf", ipautil.SHARE_DIR + "ipa-pki-proxy.conf", add=True)
-    upgrade_pki(fstore)
+    upgrade_pki(ca, fstore)
     update_dbmodules(api.env.realm)
     uninstall_ipa_kpasswd()
 
diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
index 3bc9e5d5d..907cebc61 100644
--- a/ipapython/dogtag.py
+++ b/ipapython/dogtag.py
@@ -54,7 +54,7 @@ class Dogtag10Constants(object):
     SERVER_ROOT = '/var/lib/pki'
     PKI_INSTANCE_NAME = 'pki-tomcat'
     PKI_ROOT = '%s/%s' % (SERVER_ROOT, PKI_INSTANCE_NAME)
-    CRL_PUBLISH_PATH = '%s/ipa/pki-ca/publish' % SERVER_ROOT
+    CRL_PUBLISH_PATH = '/var/lib/ipa/pki-ca/publish'
     CS_CFG_PATH = '%s/conf/ca/CS.cfg' % PKI_ROOT
     PASSWORD_CONF_PATH = '%s/conf/password.conf' % PKI_ROOT
     SERVICE_PROFILE_DIR = '%s/ca/profiles/ca' % PKI_ROOT
@@ -78,7 +78,7 @@ class Dogtag9Constants(object):
     SERVER_ROOT = '/var/lib'
     PKI_INSTANCE_NAME = 'pki-ca'
     PKI_ROOT = '%s/%s' % (SERVER_ROOT, PKI_INSTANCE_NAME)
-    CRL_PUBLISH_PATH = '%s/ipa/pki-ca/publish' % SERVER_ROOT
+    CRL_PUBLISH_PATH = '/var/lib/ipa/pki-ca/publish'
     CS_CFG_PATH = '%s/conf/CS.cfg' % PKI_ROOT
     PASSWORD_CONF_PATH = '%s/conf/password.conf' % PKI_ROOT
     SERVICE_PROFILE_DIR = '%s/profiles/ca' % PKI_ROOT